Hakong

**Name of the Vulnerable Software and Affected Versions** rclone versions prior to 1.68.2 **Description** The issue is related to insecure handling of symlinks with `--links` and `--metadata` in rclone while copying to local disk. This allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. The vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. For instance, an unprivileged user could set a symlink to a sensitive file within their home directory, waiting for an administrator or automated process to copy their files with rclone using the `--links` and `--metadata` options. Upon copying, rclone will incorrectly apply chown and chmod to the symlink’s target file rather than just the symlink itself, resulting in ownership and permission changes on the sensitive file. **Recommendations** For versions prior to 1.68.2, update to version 1.68.2 to fix the vulnerability. As a temporary workaround, consider avoiding the use of `--links` and `--metadata` when copying files to the local backend with rclone, especially when running as a superuser. Restrict access to sensitive system files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ISPConfig version 3.0.4.3 **Description** The issue allows the "Add new Webdav user" feature to modify permissions and ownership of files on the entire server from the client interface, potentially leading to unauthorized access and modifications. **Recommendations** For ISPConfig version 3.0.4.3, consider restricting access to the "Add new Webdav user" feature until a patch is available to prevent unauthorized modifications to the server's file system.